From phishing scams to compromised passwords: U of T cyber security expert on how to stay safe online

The internet is everywhere – from smartphones to cars and fridges. While that means our apps and appliances are more sophisticated than ever before, so too are the hackers, scammers and phishers who are trying to access your personal information.

Today, the University of Toronto is raising awareness about managing the risks of the digital world and providing resources to help the university community stay safe online with Data Privacy Day events taking place on the downtown Toronto campus. There is also a wealth of information available at securitymatters.utoronto.ca, including tools like Citizen Lab’s security planner, which gives you a personalized online safety recommendation, and a series of video tutorials with online safety tips.

Protect your passwords

“Password management is one of the most important things for everybody to be paying attention to right now,” says Straley.

Compromised accounts are one of the primary ways that data breaches happen, but there are a number of ways to keep yours safe and secure.

The first is using websites or applications with two-factor or multifactor authentication – where you are required to provide more than just a password when logging in.

“When you're using banking or other online tools, they might send you a code in addition to putting in your password or might have you push a button on your phone,” says Straley. “What this does is make it harder for an attacker to just know your password because you have to have the other information to be able to log in.”

The university is starting to roll out two-factor authentication for Office 365 for faculty and staff, he says.

Straley also says to avoid reusing passwords, but recognizes that remembering them all can be a challenge.

“Using a password manager is a really good tool,” says Straley. Apps like Password Safe and KeePass allow you to generate and store multiple passwords in one safe place – and not in your head.

But don’t put everything in your password manager, Straley warns. “Take the logins that are the most sacred or most important – protect the highest risk information – and remember those. But put everything else in the password manager so you don't have to waste your valuable brain space on remembering half a dozen passwords.”

Don’t be bait for phishing scams

It’s getting harder to distinguish an email scam from a legitimate message, but there are a few red flags you should be aware of, says Straley.

“Number one is almost always urgency,” he says. “When someone is asking you to do something fast.”

Emails warning you your account is about to be locked, or that you’ve gone over a quota are likely coming from illegitimate sources.

“Another one we’re starting to see more of are emails that look like they come from a supervisor or a manager or a colleague that say, ‘Hey, I'm really busy right now, can you help me out?’”

Don’t be fooled by these seemingly personal messages, says Straley. As soon as you agree to help, the scammer will ask you to do something for them, like buy a gift card.

“When you do, you end up spending your money and giving the gift cards to the attackers,” he says.

Personalize your privacy settings

It doesn’t matter if you’re a technophobe or a social media addict, you need to decide what level of privacy you’re comfortable with online, says Straley.

“I'm surprised how often folks don't stop and think about what they expect from their online life. Most of the services are pretty open on their privacy settings,” he says.

With social media platforms like Twitter, Instagram and Facebook, Straley says to make sure that the sharing settings are restricted to the communities you are specifically looking to engage online.

“Especially if you install a lot of social media and tools that have applications on the phone or multiple devices, those tools will ask for a lot of permissions like ‘give us access to all your photos or your mic, camera, or your location settings,’” he says.

Depending on the operating system you use, Straley says, you can choose to share your information with an application only when you're using it.

Cyber crime fighting at U of T

“A big portion of what we do is identifying different resources that would be attacked and making sure they are protected,” says Straley of his information security team.

“We’ve got tools that allow us to detect attacks – in our jargon they're called intrusion prevention or detection systems – and we have other ways to look for bad activity,” he says.

U of T also co-ordinates with fellow higher education institutions, governments and other organizations so it knows what to look out for.

“One of our biggest challenges is just keeping up with the attackers,” Straley says.